metamorpherrat | 4dd9eed2b0a4494c655f07b90acc24b3ca1aeb5792adbe7313e949da14e8b80c

General

Target

4dd9eed2b0a4494c655f07b90acc24b3ca1aeb5792adbe7313e949da14e8b80cN.exe
Size

78KB
MD5

fdca00e3cab6ca4b1624adc781a79e40
SHA1

1da36b77c73dc6ca0d7604861349ed063a0f4d67
SHA256

4dd9eed2b0a4494c655f07b90acc24b3ca1aeb5792adbe7313e949da14e8b80c
SHA512

dcd3b2281d1dd5abf784d332a9344e51360b5c6d81021e1fc230070f457a2078f193596b27ddcf691b79fb780fab7e4d7d1801d8ae99f717632205230f60bee9
SSDEEP

1536:dRWV5jWXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQt96j9/w81GN:dRWV5jeSyRxvhTzXPvCbW2UM9/e

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2704	tmp562B.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2392	4dd9eed2b0a4494c655f07b90acc24b3ca1aeb5792adbe7313e949da14e8b80cN.exe
2392	4dd9eed2b0a4494c655f07b90acc24b3ca1aeb5792adbe7313e949da14e8b80cN.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmp562B.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4dd9eed2b0a4494c655f07b90acc24b3ca1aeb5792adbe7313e949da14e8b80cN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp562B.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2392	4dd9eed2b0a4494c655f07b90acc24b3ca1aeb5792adbe7313e949da14e8b80cN.exe
Token: SeDebugPrivilege	2704	tmp562B.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2392 wrote to memory of 2760	2392	4dd9eed2b0a4494c655f07b90acc24b3ca1aeb5792adbe7313e949da14e8b80cN.exe	30
PID 2392 wrote to memory of 2760	2392	4dd9eed2b0a4494c655f07b90acc24b3ca1aeb5792adbe7313e949da14e8b80cN.exe	30
PID 2392 wrote to memory of 2760	2392	4dd9eed2b0a4494c655f07b90acc24b3ca1aeb5792adbe7313e949da14e8b80cN.exe	30
PID 2392 wrote to memory of 2760	2392	4dd9eed2b0a4494c655f07b90acc24b3ca1aeb5792adbe7313e949da14e8b80cN.exe	30
PID 2760 wrote to memory of 2832	2760	vbc.exe	32
PID 2760 wrote to memory of 2832	2760	vbc.exe	32
PID 2760 wrote to memory of 2832	2760	vbc.exe	32
PID 2760 wrote to memory of 2832	2760	vbc.exe	32
PID 2392 wrote to memory of 2704	2392	4dd9eed2b0a4494c655f07b90acc24b3ca1aeb5792adbe7313e949da14e8b80cN.exe	33
PID 2392 wrote to memory of 2704	2392	4dd9eed2b0a4494c655f07b90acc24b3ca1aeb5792adbe7313e949da14e8b80cN.exe	33
PID 2392 wrote to memory of 2704	2392	4dd9eed2b0a4494c655f07b90acc24b3ca1aeb5792adbe7313e949da14e8b80cN.exe	33
PID 2392 wrote to memory of 2704	2392	4dd9eed2b0a4494c655f07b90acc24b3ca1aeb5792adbe7313e949da14e8b80cN.exe	33

C:\Users\Admin\AppData\Local\Temp\4dd9eed2b0a4494c655f07b90acc24b3ca1aeb5792adbe7313e949da14e8b80cN.exe
"C:\Users\Admin\AppData\Local\Temp\4dd9eed2b0a4494c655f07b90acc24b3ca1aeb5792adbe7313e949da14e8b80cN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2392
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ykar41e9.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5745.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5744.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2832
- C:\Users\Admin\AppData\Local\Temp\tmp562B.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp562B.tmp.exe" C:\Users\Admin\AppData\Local\Temp\4dd9eed2b0a4494c655f07b90acc24b3ca1aeb5792adbe7313e949da14e8b80cN.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES5745.tmp

Filesize
1KB

MD5
7d5dac398584e6011ae583eccd0dc8d9

SHA1
473ab5d9870b43106c6ed41cf3accf85eab98132

SHA256
15de35a57d7ff6f666f16adf59e52802aade79611745fb1bd67b9570a013215d

SHA512
ab9a26022b643ab01af05e798ed92d87b21af149bde87be4cecd3062b04acc2421129f05ca19a42f57ba1b1f4c0a0487bf1678d394119426b5eec9c977c13e63

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp562B.tmp.exe

Filesize
78KB

MD5
767de5eda8b5f19f4ffca77dd61cb208

SHA1
2ebed783fee75c35c36185aae44beefedae0d29b

SHA256
d2dbfe56187a8978cf7f189ca933dbbf67f74e0b9c59fef7ecd8da05a1b62b06

SHA512
e7b6ae2ab65ba7d7720ec36133f4e73fb270b15bd7bb79df33001419ce1082cbbc3ae4a0f1c5c144a15aef07de957b0b7e4903b8352034d356b4325908823e2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc5744.tmp

Filesize
660B

MD5
f8f50f50c6c92aa9278e270e1f8527b4

SHA1
1c9aae84b99187ee002f8b05daedd507478a75f8

SHA256
0a634f15d5a15cde84d0217f5e246cbe8e6bbe8c1788cdeaf3c4fac6d72cf319

SHA512
45cfa6689343bc1ef6843705df034d6f15d7ef5bcc16a110916c326503e6483e40435427d268011d89f838f2b5773648d6530c52c12804df9026ce53ce5d3b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ykar41e9.0.vb

Filesize
14KB

MD5
e2a502fee14020409fa5d327fa45ce4b

SHA1
41ebb312b1c54154931bdf8df507688c95ba599f

SHA256
ae0dcda95e0174934afd870a2259c8c6a7fb938ab070501693a5ef130d3c99da

SHA512
57525cda7829a007d0433a0a71f21bc7a3315b5def38c5366b5e87c16c4cca0986c6aa41edd9069fcea8e84ad1d2b1749c9022046e0ebebadf84eac00accd414

Download Submit
C:\Users\Admin\AppData\Local\Temp\ykar41e9.cmdline

Filesize
266B

MD5
2f542c0dde55a0d82b5e4e561718673e

SHA1
54cb98ac41ab1f882492cd516f6c81d5c63d0662

SHA256
88ac162fb6394f2e7bafa347a9d48d00becda995fbb9b144fc1cfd845aad737f

SHA512
25796476e37b5584efdc84d201dce5f25fe5676692c2b49f99ae5617b6a9ff2c2b6d028c9784ba1b5efeb995720131bbacace3a89a127b156ccf95c9c1692183

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/2392-0-0x0000000074561000-0x0000000074562000-memory.dmp

Filesize
4KB

Download
memory/2392-1-0x0000000074560000-0x0000000074B0B000-memory.dmp

Filesize
5.7MB

Download
memory/2392-2-0x0000000074560000-0x0000000074B0B000-memory.dmp

Filesize
5.7MB

Download
memory/2392-24-0x0000000074560000-0x0000000074B0B000-memory.dmp

Filesize
5.7MB

Download
memory/2760-8-0x0000000074560000-0x0000000074B0B000-memory.dmp

Filesize
5.7MB

Download
memory/2760-18-0x0000000074560000-0x0000000074B0B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads